From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: using iptables to deny ipsec connections
Date: Mon, 10 Nov 2008 19:10:37 -0600 [thread overview]
Message-ID: <4918DB8D.8010503@riverviewtech.net> (raw)
In-Reply-To: <D50E2D13-F2E8-4830-883A-9495D904A96D@nd.edu>
On 11/10/2008 6:22 PM, Eric Lease Morgan wrote:
> How do I use iptables to deny IPSEC connections?
I'm not 100% sure, but I think you can block ESP, IP protocol 50.
> I am running iptables v1.3.8 on Fedora 5. On a regular basis a remote
> host connects to my machine and gobbles up more than 3 MB/sec of
> bandwidth, makes my swap space almost full, and always seems to be
> associated with a second, remote machine. Not only is this irritating
> but it is also embarrassing. I'm not sure, but I think remote machine
> one is talking to remote machine two.
Do you have any thing IPSec related installed or in kernel? (I don't
use Fedora so I don't know what the default is.)
I find it very unlikely that one (or more) unknown system(s) are
successfully negotiating an IPSec connection to your system with out
your knowledge and help. About the only way that I can see this
happening is if your security has been breached and someone else with
knowledge of IPSec set it up.
> I have a rule in /etc/sysconfig/iptables that looks like this (with IP
> changed to protect the guilty):
>
> -A RH-Firewall-1-INPUT -s 123.456.789.109 -j REJECT
>
> I believe this rule says, "Reject any connections coming from
> 123.456.789.109", but after I restart iptables the connections persist.
Well, the simple act of matching based on the source and rejecting is
correct. However, like I said above, I don't know any thing about
Fedora so I can't say any thing to the RH-Firewall-1-INPUT chain being
referenced.
Also, does the rule persist after you restart your firewall, or is it
getting flushed out when you restart the firewall?
> Using ntop as my diagnostic tool, I see that 0% of the connections from
> 123.456.789.109 are IP-based but rather IPSEC-based. (Does such a thing
> make sense?)
Well, IPSec's ESP rides on top of IP, so, I'm not quite sure why this is
worded the way that it is.
> How do I either: 1) deny any access to my machine from 123.456.789.109,
> or 2) deny any connections that are IPSEC-based because I have no such
> need for IPSEC, I think. What is host 123.456.789.109 exploiting?
A simple IPTables rule like above /should/ do what you are wanting. I
have a feeling that something else here is in play here with out your
knowledge.
Do you have a capture of any of the traffic?
Grant. . . .
next prev parent reply other threads:[~2008-11-11 1:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <S1752377AbYKKAIu/20081111000850Z+3277@vger.kernel.org>
2008-11-11 0:22 ` using iptables to deny ipsec connections Eric Lease Morgan
2008-11-11 1:10 ` Grant Taylor [this message]
2008-11-13 3:36 ` Eric Lease Morgan
2008-11-13 17:44 ` Bill Chappell
2008-11-13 17:49 ` Bill Chappell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4918DB8D.8010503@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox